Shorewall users - Nov 2002 - can''t access firewall with SSH from net

Hi,

i have 1 debian 3.0 firewall server kernel 2.4.18bf24 and 1 machine behind 
it.
The server has 2 nics: eth0 is connected via cable modem to the net and gets 
his
ip via DHCP from ISP, eth1 is 192.168.0.1 and connected to a hub.
My pc receives a ip adres automatically from the dhcp server that is running
on my firewall/server but since i only have 1 machine connected for the 
moment
the ip is always 192.168.0.15.

I started from Quickstart guide for a "Two-interface Linux System "
and left
most files untouched except the ones listed below.

I have 2 questions/problems:
1) Allowing ssh access from the net to the firewall server doesn''t
work.
I can access the firewall from my local machine via ssh (i''m using
putty on
windows on that local machine) but using putting at work to access the 
machine
doesn''t work. I have used ssh at work before so that isn''t a
blocking
factor.
A friend tried to connect from his work but that also didn''t work.
Are my config files correct to allow ssh in from the net?

2) Another strange thing (at least to me :-) ) is that with changes to the
configs like they are posted below (except for the rules which was empty in 
the
beginning) all stuff like news, mail, ftp, www seemed to work. Is that 
because
of the masq file or because of the "loc net ACCEPT" policy? If this is
because
of the policy "loc net ACCEPT" how come you have to add rules for ssh,
dns
and so on?
If i look to sampleconfig on the shorewall site, all stuff like www, news 
and
so on is added in the rules even if the policy file says "loc net
ACCEPT".
Should i add this too?

Here are my configs:
(i did them by heart since i''m at work and can''t ssh to the
server to get
my configs :-) )

interfaces
=========net eth0 detect dhcp,noping,norfc1918,blacklist
loc eth1 detect   # could be that is was loc eth1  192.168.0.255

shorewall.conf
=============most important config params
FW=fw
NAT_ENABLED=yes
MANGLE_ENABLED=yes
IP_FORWARDING=on

masq
===eth0  eth1

policy
=====loc net ACCEPT
net all DROP info
all all REJECT info

rules
====# ssh from local machine
ACCEPT loc    fw    tcp   ssh

# ssh from internet to the firewall machine
ACCEPT net   fw     tcp   ssh

# DNS queries from local machine + access to isp''s proxy on 8080
ACCEPT fw    net    tcp   53
ACCEPT fw    net    udp   53
ACCEPT fw    net    tcp   8080
ACCEPT fw    net    udp   ntp

routestopped
===========eth1

Thanks,
Benedict




_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail

--On Wednesday, November 06, 2002 12:41 PM +0100 Benedict Verheyen 
<wsbenedictv@hotmail.com> wrote:
> 1) Allowing ssh access from the net to the firewall server doesn''t
work.
> I can access the firewall from my local machine via ssh (i''m using
putty
> on windows on that local machine) but using putting at work to access the
> machine doesn''t work. I have used ssh at work before so that
isn''t a
> blocking factor. A friend tried to connect from his work but that also
> didn''t work. Are my config files correct to allow ssh in from the
net?
>
Is ssh allowed from the net in your /etc/hosts.allow and /etc/hosts.deny 
files?
> 2) Another strange thing (at least to me :-) ) is that with changes to the
> configs like they are posted below (except for the rules which was empty
> in the beginning) all stuff like news, mail, ftp, www seemed to work. Is
> that because of the masq file or because of the "loc net ACCEPT"
policy?
> If this is because of the policy "loc net ACCEPT" how come you
have to
> add rules for ssh, dns and so on?
The default policy of ALLOW from loc->net allows any net access from the
> If i look to sampleconfig on the shorewall site, all stuff like www, news
> and so on is added in the rules even if the policy file says "loc net
> ACCEPT".
Which sample configs on the web site? The web site has many examples.

Should i add this too?

You need a rule only if the applicable policy doesn''t allow the 
application. So for example, if you want to run a news server on your 
firewall and make it available to your local network, you would have to 
include:

ACCEPT	loc	fw	tcp	119

That is because the default loc->fw policy is REJECT (the all->all policy 
applies).
>
> Here are my configs:
The rule that you have for ssh is fine.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

--On Wednesday, November 06, 2002 6:56 AM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:
>> 2) Another strange thing (at least to me :-) ) is that with changes to
>> the configs like they are posted below (except for the rules which was
>> empty in the beginning) all stuff like news, mail, ftp, www seemed to
>> work. Is that because of the masq file or because of the "loc net
>> ACCEPT" policy? If this is because of the policy "loc net
ACCEPT" how
>> come you have to add rules for ssh, dns and so on?
>
> The default policy of ALLOW from loc->net allows any net access from the
That should have said that the default policy of ALLOW form loc->net allows 
any net access from the local zone.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

>From: Tom Eastep <teastep@shorewall.net>
>Is ssh allowed from the net in your /etc/hosts.allow and /etc/hosts.deny 
>files?
Ha, i didn''t touch those files so i suppose that it isn''t
allowed by the
default installation of ssh. Maybe the .deb package did some changes to 
/etc/hosts.allow but i don''t think so. i haven''t worked with
those files
before so i''ll have to check what to add to these. I''ll look
into it.
Is it so that if ssh isn''t specified in /etc/hosts.allow, that the 
connection will be refused before it''s logged by the server?
I checked /var/log/messages last night and i *think* i didn''t see any 
specific entries there regarding the firewall denying access from ssh.
I think this might be what''s stopping me from connecting.
If that''s not the case, i guess that then my isp is responsible for
blocking
the 22 port.
>>If i look to sampleconfig on the shorewall site, all stuff like www,
news
>>and so on is added in the rules even if the policy file says "loc
net
>>ACCEPT".
I meant the config files from your network: My Configuration Files (
http://www.shorewall.net/myfiles.htm)



_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

I have almost exactly the same configuration as you: Debian 3.0
firewall, kernel 2.4.19, one machine behind it with a "static" DHCP
address.

I can ssh to my fw from the net, and the only rule required is in
/etc/shorewall/rules:

	ACCEPT   net   fw   tcp 22

It looks like you have that.  It''s a long-shot but you have
"ssh"
instead of "22".  I suppose if for some bizarre reason your
/etc/services file didn''t have an entry for ssh your rule
wouldn''t work.

- Colin



Benedict Verheyen wrote:
> Hi,
> 
> i have 1 debian 3.0 firewall server kernel 2.4.18bf24 and 1 machine behind 
> it.
> The server has 2 nics: eth0 is connected via cable modem to the net and
gets
> his
> ip via DHCP from ISP, eth1 is 192.168.0.1 and connected to a hub.
> My pc receives a ip adres automatically from the dhcp server that is
running
> on my firewall/server but since i only have 1 machine connected for the 
> moment
> the ip is always 192.168.0.15.
> 
> I started from Quickstart guide for a "Two-interface Linux System
" and left
> most files untouched except the ones listed below.
> 
> I have 2 questions/problems:
> 1) Allowing ssh access from the net to the firewall server doesn''t
work.
> I can access the firewall from my local machine via ssh (i''m using
putty on
> windows on that local machine) but using putting at work to access the 
> machine
> doesn''t work. I have used ssh at work before so that
isn''t a blocking
> factor.
> A friend tried to connect from his work but that also didn''t work.
> Are my config files correct to allow ssh in from the net?
> 
> 2) Another strange thing (at least to me :-) ) is that with changes to the
> configs like they are posted below (except for the rules which was empty in
> the
> beginning) all stuff like news, mail, ftp, www seemed to work. Is that 
> because
> of the masq file or because of the "loc net ACCEPT" policy? If
this is
> because
> of the policy "loc net ACCEPT" how come you have to add rules for
ssh, dns
> and so on?
> If i look to sampleconfig on the shorewall site, all stuff like www, news 
> and
> so on is added in the rules even if the policy file says "loc net
ACCEPT".
> Should i add this too?
> 
> Here are my configs:
> (i did them by heart since i''m at work and can''t ssh to
the server to get
> my configs :-) )
> 
> interfaces
> =========> net eth0 detect dhcp,noping,norfc1918,blacklist
> loc eth1 detect   # could be that is was loc eth1  192.168.0.255
> 
> shorewall.conf
> =============> most important config params
> FW=fw
> NAT_ENABLED=yes
> MANGLE_ENABLED=yes
> IP_FORWARDING=on
> 
> masq
> ===> eth0  eth1
> 
> policy
> =====> loc net ACCEPT
> net all DROP info
> all all REJECT info
> 
> rules
> ====> # ssh from local machine
> ACCEPT loc    fw    tcp   ssh
> 
> # ssh from internet to the firewall machine
> ACCEPT net   fw     tcp   ssh
> 
> # DNS queries from local machine + access to isp''s proxy on 8080
> ACCEPT fw    net    tcp   53
> ACCEPT fw    net    udp   53
> ACCEPT fw    net    tcp   8080
> ACCEPT fw    net    udp   ntp
> 
> routestopped
> ===========> eth1
> 
> Thanks,
> Benedict
> 
> 
> 
> 
> _________________________________________________________________
> Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
> http://join.msn.com/?page=features/junkmail
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users

>From: Colin Viebrock <colin@easydns.com>
>Reply-To: colin@easydns.com
>To: Benedict Verheyen <wsbenedictv@hotmail.com>
>CC: shorewall-users@shorewall.net
>Subject: Re: [Shorewall-users] can''t access firewall with SSH from
net
>Date: Wed, 06 Nov 2002 11:27:11 -0500
>
>I have almost exactly the same configuration as you: Debian 3.0
>firewall, kernel 2.4.19, one machine behind it with a "static"
DHCP
>address.
>
>I can ssh to my fw from the net, and the only rule required is in
>/etc/shorewall/rules:
>
>	ACCEPT   net   fw   tcp 22
>
>It looks like you have that.  It''s a long-shot but you have
"ssh"
>instead of "22".  I suppose if for some bizarre reason your
>/etc/services file didn''t have an entry for ssh your rule
wouldn''t work.
>
>- Colin
Yeah, i thought that too but that''s not it:
arthur:~# cat /etc/services | grep "ssh"
ssh     22/tcp   # SSH Remote Login Protocol
ssh     22/udp   # SSH Remote Login Protocol

And i had specified 22 instead of ssh already.

Also, today i tried to login from work to the firewall several times
and when i came home i checked /var/log/messages. Not one packet was logged 
there that had to do with ssh so the connection presumably didn''t reach
the
firewall otherwise it would have logged the deny or drop lines!

So, my guess is the /etc/hosts.allow file is wrong or my isp blocking this 
port.
Do you have a specific entry for /etc/hosts.allow? Mine is empty as is my 
/etc/hosts.deny.

I will try once by adding "sshd:  ALL" to /etc/hosts.allow and see
what
happens.

Another thing i noticed is that i have 2 sshd''s running
root 216  0.0  0.7  2508 1184 ?   S    00:19   0:00 /usr/sbin/sshd
root 8050  0.0  1.1  5812 1796 ?  S    18:14   0:01 /usr/sbin/sshd

Netstat reveals this:
================================================Active Internet connections
(servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State    
    PID/Program name
tcp  0  0 *:ssh              *:*                LISTEN   216/sshd
tcp  0  0 192.168.0.1:ssh    192.168.0.15:1084  ESTABLISHED 8050/sshd
udp  0  0 *:32768            *:*                195/ddtcd
udp  0  0 *:1052             *:*                195/ddtcd
udp  0  0 *:bootps           *:*                200/dhcpd
udp  0  0 *:bootpc           *:*                116/dhclient
raw  0  0 *:icmp             *:*    7           200/dhcpd

Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    
Path
unix  6      [ ]         DGRAM   173    189/syslogd   /dev/log
unix  2      [ ]         DGRAM   12619  116/dhclient
unix  2      [ ]         DGRAM   232    200/dhcpd
unix  2      [ ]         DGRAM   217    195/ddtcd
unix  2      [ ]         DGRAM   210    192/klogd

===========================================
Anyway, doesn''t give any errors and i can login from the local machine
to
the firewall.
The version of OpenSSH i have is 3.5p1-1

My /etc/ssh/sshd.conf file:
===========================arthur:/etc/ssh# cat sshd_config
# Package generated configuration file
# See the sshd(8) manpage for defails

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
PAMAuthenticationViaKbdInt no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don''t read the user''s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don''t trust ~/.ssh/known_hosts for 
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem       sftp    /usr/lib/sftp-server

===============================================
Thanks

_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

> So, my guess is the /etc/hosts.allow file is wrong or my isp blocking this 
> port.
> Do you have a specific entry for /etc/hosts.allow? Mine is empty as is my 
> /etc/hosts.deny.
Both of mine are empty.

> Another thing i noticed is that i have 2 sshd''s running
> root 216  0.0  0.7  2508 1184 ?   S    00:19   0:00 /usr/sbin/sshd
> root 8050  0.0  1.1  5812 1796 ?  S    18:14   0:01 /usr/sbin/sshd
One is the sshd listening for new connections.  One is the connection
you are currently using.  Nothing odd there.

> The version of OpenSSH i have is 3.5p1-1
I''m still at 3.4p1.

> My /etc/ssh/sshd.conf file:
> ...
> PermitRootLogin yes
I''d really change that one to "no".

Other than that, my settings are identical to yours.

Try simply telneting to your FW on port 22 from your office.  If you get
the OpenSSH banner greeting, you know your ISP isn''t blocking the port.
 If not, it''s something with your sshd probably.

- Colin

>Try simply telneting to your FW on port 22 from your office.  If you 
> >getthe OpenSSH banner greeting, you know your ISP isn''t
blocking the
> >port.If not, it''s something with your sshd probably.
I did that at work and i i''m pretty sure i got a banner.
it''s a pain i have to wait a day to try and test this.
i wish there was another way to "fake" an external login to the server
so
one could test and see what happens. would be a lot quicker than to wait a 
whole day to test something.

i have an account at http://www.ddts.org/ so i can use a name to resolve my 
changing ip address. i tried to "fake" the external login by using
this name
to login to the server but that doesn''t work.



_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

>From: "Benedict Verheyen" <wsbenedictv@hotmail.com>
>To: colin@easydns.com
>CC: shorewall-users@shorewall.net
>Subject: Re: [Shorewall-users] can''t access firewall with SSH from
net
>Date: Wed, 06 Nov 2002 23:18:25 +0100
>
>
>>Try simply telneting to your FW on port 22 from your office.  If you 
>> >getthe OpenSSH banner greeting, you know your ISP isn''t
blocking the
>> >port.If not, it''s something with your sshd probably.
>
>I did that at work and i i''m pretty sure i got a banner.
>it''s a pain i have to wait a day to try and test this.
>i wish there was another way to "fake" an external login to the
server so
>one could test and see what happens. would be a lot quicker than to wait a 
>whole day to test something.
>
>i have an account at http://www.ddts.org/ so i can use a name to resolve my 
>changing ip address. i tried to "fake" the external login by using
this
>name to login to the server but that doesn''t work.
>
Oh, one thing that might be different in our setups: i use ssh protocol 2. 
not sure if this could be causing this?

_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail

Benedict Verheyen wrote:
>>Try simply telneting to your FW on port 22 from your office.  If you 
>> >getthe OpenSSH banner greeting, you know your ISP isn''t
blocking the
>> >port.If not, it''s something with your sshd probably.
> 
> I did that at work and i i''m pretty sure i got a banner.
> it''s a pain i have to wait a day to try and test this.
> i wish there was another way to "fake" an external login to the
server so
> one could test and see what happens. would be a lot quicker than to wait a 
> whole day to test something.
Get home.  SSH to an outside server (like your work server).  From
there, try SSH-ing back to your FW.

> i have an account at http://www.ddts.org/ so i can use a name to resolve my
> changing ip address. i tried to "fake" the external login by
using this name
> to login to the server but that doesn''t work.
Are you saying your FW is on a dynamic IP?  Hopefully, when you trying
to connect to your FW, your DNS has propogated so you are sure that
my-fw.yourdomain.com is pointing the right IP your cable company gave
you.  If your IP changed, and DNS hasn''t propogated, you could very
well
be trying to connect to another server ... which would explain a) the
failures, and b) the lack of log info on your FW box.  :)

- Colin

>Get home.  SSH to an outside server (like your work server).  From
>there, try SSH-ing back to your FW.
i don''t have such a machine available but indeed that''s a good
setup!
>Are you saying your FW is on a dynamic IP?  Hopefully, when you trying
>to connect to your FW, your DNS has propogated so you are sure that
>my-fw.yourdomain.com is pointing the right IP your cable company gave
>you.  If your IP changed, and DNS hasn''t propogated, you could very
well
>be trying to connect to another server ... which would explain a) the
>failures, and b) the lack of log info on your FW box.  :)
>
Yeah, but it doesn''t change often so i''m positively sure that
the ip i was
using was to my server. and i tried with both the hostname i have with 
ddts.net and with the ip address. the ip from my server is synced back to 
the ddts name server every minute so i don''t think this is the problem.

--On Wednesday, November 06, 2002 6:40 PM +0100 Benedict Verheyen 
<wsbenedictv@hotmail.com> wrote:
> Also, today i tried to login from work to the firewall several times
> and when i came home i checked /var/log/messages. Not one packet was
> logged there that had to do with ssh so the connection presumably
didn''t
> reach the firewall otherwise it would have logged the deny or drop lines!
>
If you are not seeing Shorewall messages referring to TCP port 22 then your 
Shorewall configuration is almost certainly ok.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

>Try simply telneting to your FW on port 22 from your office.  If you >get
>the OpenSSH banner greeting, you know your ISP isn''t blocking the
>port.
>  If not, it''s something with your sshd probably.
>
>- Colin
Hhhhm. i tried this again since i wasn''t sure and i don''t get
the banner.
i''m using putty at work and i tried both telnet and ssh with the ip and
the
hostname and all of these don''t produce the banner so i was wrong.
This afternoon i''ll try to connect from here to another linux system
and
connect from there to my home system to see if that succeeds.

I think i will have to reconfigure ssh though or maybe even try to downgrade 
the version i''m having.

_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail